Exercise 5: Building an Automated Detection
Estimated Time to Complete: 20 minutes
Objectives
Below is the overall automated detection that we are building:
There is one component missing: the EventBridge rule that links this all together!
Your objectives:
- View the Lambda function that will handle the event
- Create an AWS EventBridge rule to capture a CloudTrail data events involving your
password-backuphoney file and trigger a Lambda function calledHoneyFileDetection - Perform T1530 (Data from Cloud Storage) once more to trigger this automation
- Review Security Hub to find your automated detection
Challenges
Challenge 1: View HoneyFileDetection Lambda Function
Go to the Lambda service and view the code for the HoneyFileDetection function. What is this function doing when it receives information from another service?
Solution
-
Navigate directly to the
HoneyFileDetectionfunction by going here. -
If you scroll down, you can see the Python code for this function.
-
If you have written Python before, you may be able to determine what this code is performing. If not, here is a breakdown:
Line numbers Description 1 - 2Import the AWS Software Development Kit (SDK) for Python ( boto3) and regular expression (re) modules necessary for this automation to function properly.4Begin handler function. This is the Python function is triggered when the Lambda function is executed. 5 - 9Since the Security Hub finding that this will generate (more on this in a moment) will have a field name depending on the version of the Internet Protocol (IP) that was identified, set the proper field name by analyzing the detail.sourceIPAddressportion of the event that is passed into the Lambda function.11 - 15Acquire the account number for the account in which this function is running so that the generated finding contains the proper information. 17 - 23As the userNameentry can be found two different ways depending on if you are using IAM roles, this code extracts theuserNamevalue properly. Otherwise, the function will error (thanks Shaun McCullough :))25 - 64Based on the information passed to the Lambda function, generate a Security Hub finding with the proper context (e.g., where the password-backup.txtfile request came from, the name of the API call, the location of the accessed file, the type of finding, and much more).66 - 69Just a basic returnthat will inform the caller of any manual invocations that the run was successful.
Challenge 2: Create EventBridge Rule
Now that you understand what the function will do once called upon, create an AWS EventBridge rule with the following logic that will trigger this function in the event that anyone accesses the password-backup.txt honey file:
- Captures any S3 API call
- The S3 object key acted upon has a value of
password-backup.txt(the honey file) - The target of the rule is the
HoneyFileDetectionLambda function
Solution
-
Navigate to the EventBridge service.
-
Begin creating a new rule by ensuring that the EventBridge Rule radio button is selected (1) and clicking on Create rule (2).
-
When going through this rule creation wizard, the first step is to give the rule a name and determine how it will be rule (i.e., when an event occurs or on a certain schedule). Give you rule the name
honeyfile(1), select the Rule with an event pattern radio button (2) (since we want to detect the honey file access as fast as we can), and click Next (3) to continue.
-
The next page is where most of the heavy lifting is done. First, you must choose the event source. Since we want the EventBridge rule to fire when certain AWS API calls are made, leave the default of AWS events or EventBridge partner events and scroll down the page to the final part—defining the rule logic (Event pattern).
-
In the Event pattern section, you can select what you are interested in detecting and AWS will build the rule logic for you... mostly. We will make a small edit to it, but first let's have AWS do most of the building for us. Since we want to detect an AWS service, leave the top dropdown as it is—set to AWS services (1). Next, click the AWS service dropdown (2) and select Simple Storage Service (S3) (3).
-
After selecting S3 as your service, a new dropdown will appear. Click on the Event type dropdown and select Object-Level API Call via CloudTrail (2) since we want to know when our S3 object (the honey file) is accessed at all.
-
After making that last selection, you should notice that the Event pattern box on the right begins to populate. This JSON document defines what EventBridge will be looking for and, if there is a match, will pass this event to a target.
-
So far, this is the event pattern:
{ "source": ["aws.s3"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventSource": ["s3.amazonaws.com"], "eventName": ["ListObjects", "ListObjectVersions", "PutObject", "GetObject", "HeadObject", "CopyObject", "GetObjectAcl", "PutObjectAcl", "CreateMultipartUpload", "ListParts", "UploadPart", "CompleteMultipartUpload", "AbortMultipartUpload", "UploadPartCopy", "RestoreObject", "DeleteObject", "DeleteObjects", "GetObjectTorrent", "SelectObjectContent", "PutObjectLockRetention", "PutObjectLockLegalHold", "GetObjectLockRetention", "GetObjectLockLegalHold"] } } -
This would capture all events from any S3 object. This is much too broad. You will need to narrow this down by editing the JSON. Click on the Edit pattern button.
-
You will need to specify that the requested key is equal to
password-backup.txtso that only those interactions are passed to the target. The easiest way is to replace the JSON document with the content below (1). Click Next (2) when finished.{ "source": ["aws.s3"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventSource": ["s3.amazonaws.com"], "eventName": ["ListObjects", "ListObjectVersions", "PutObject", "GetObject", "HeadObject", "CopyObject", "GetObjectAcl", "PutObjectAcl", "CreateMultipartUpload", "ListParts", "UploadPart", "CompleteMultipartUpload", "AbortMultipartUpload", "UploadPartCopy", "RestoreObject", "DeleteObject", "DeleteObjects", "GetObjectTorrent", "SelectObjectContent", "PutObjectLockRetention", "PutObjectLockLegalHold", "GetObjectLockRetention", "GetObjectLockLegalHold"], "requestParameters": { "key": ["password-backup.txt"] } } }
-
The next page decides where to send this event (i.e., the target). Since we are sending this to another AWS service component—the
HoneyFileDetectionLambda function, choose the AWS service radio button (1), click the Select a target type dropdown (2), and choose Lambda function (3).
-
A new dropdown and options will appear. Click on the Function dropdown (1) and choose your
HoneyFileDetectionfunction (2). Click Next (3) when finished.
-
And that's all we need! Click Next on the next page (1) and **Create rule (2) at the bottom of the final page.
-
The new rule should automatically be enabled.
Challenge 3: Emulate Stolen File Access
Now to see if the EventBridge rule will fire, the Lambda function executes, and a new Security Hub finding will appear related to the access of the honey file. Perform the attack again by downloading the password-backup.txt file from S3.
Solution
-
List the bucket contents of the bucket beginning with the name
databackup-.BUCKET=$(aws s3api list-buckets | jq -r \ '.Buckets[] | select(.Name | startswith("databackup-")) | .Name') aws s3 ls s3://$BUCKET/Sample result
2023-03-19 10:16:30 91 password-backup.txt -
Download the
` file using theaws s3 cp` command.aws s3 cp s3://$BUCKET/password-backup.txt /home/cloudshell-user/password-backup.txtSample result
download: s3://databackup-123456789010/password-backup.txt to ../password-backup.txt -
This should be enough to trigger the EventBridge rule since the AWS CLI performed the
s3:GetObjectAPI call for you.
Challenge 4: Review Security Hub Detection
And now for the moment of truth: to see if this automated detection generated a finding in AWS Security Hub. Navigate to the Security Hub service to discover your finding.
Note
It may take a few minutes for the finding to appear, even if all went according to plan.
Solution
-
Navigate to the Security Hub service's Summary page.
-
Here, you will see a roll-up of all Security Hub compliance and finding information. To view specific findings, click on the Findings link in the left pane.
-
When you arrive at the Findings page, you will likely see, at the top of the list of findings, one called
Honey file used. You will even see the honey file listed in theResourcecolumn. Click on that finding to reveal more details (all of which was generated by theHoneyFileDetectionLambda function).
-
You should now see a pane pop out on the right with the finding details. Feel free to expand each section to review the content populated by the Lambda function based up on the event information passed in from EventBridge.
Conclusion
Congrats! You have successfully built a detection to spot an adversary accessing a honey file! More importantly, you have walked though a process to create a detection:
